Second Round of HIPAA Audits Delayed by Web Portal

The second round of HIPAA compliance audits has been put off until 2015 to give the OCR additional time to test its new internet portal. This next round of audits was initially scheduled to take place this fall.

The new web portal is one of the new initiatives to assist it in policing HIPAA and it is expected to streamline the collection of data. The portal will also be used to submit reports of HIPAA breaches and violations.

OCR senior adviser, Linda Sanches said: “We recently had an opportunity to update the technology we’re using, giving us capabilities that we just didn’t have access to before.”

The introduction of the new portal needs to be completed before the OCR can conduct its next round of audits as the system will need to be used to gather the thousands of documents a round of audits generates. The new system will also enable Jocelyn Samuels to develop the OCR’s program of permanent audits, which former OCR Director Leon Rodriguez had planned before he took up his new role with Homeland Security.

The collection and analysis of documents is an in depth and labor intensive process, and the OCRs resources severely limit the amount of audits it can realistically conduct. The new portal should enable HIPAA-covered entities to simply upload documents if they are selected for a compliance audit, while the automation of the data collection will clear up a large amount of resources at the OCR.

The original audit plan was a pilot comprised of 115 audits, which after an initial assessment would lead to a subsequent round involving 400 remote audits and a number of onsite visits. The number of desk audits has now been reduced to 200, but its budget for onsite visits has been raised. More healthcare organizations can now expect a full and thorough onsite inspection to take place. The next round of audits will also be carried in the main by OCR staff; the pilot audits were conducted by accounting firm, KPMG.

The audit process will begin with pre-screening audits, in which covered entities will be asked to use the portal to submit their documents. The OCR has yet to reveal how many pre-screening audits it will be conducting, although in February the OCR did submit a collection request to the federal register to enable it to contact up to 1,200 covered-entities including healthcare providers, health plans, clearinghouses and Business Associates. The OCR will then choose the most suitable entities for desk and onsite audits.

According to Sanches, covered organizations will be audited first followed by Business Associates. She advises all covered bodies to contact their Business Associates and address any HIPAA issues that currently exist. They should also be advised, if they are not already aware, that they will be subject to audits and are responsible for ensuring that they adhere with all HIPAA Privacy and Security Rules, including the latest Omnibus Rule changes.

Covered entities will be asked to submit a list of all contractors and Business Associates as part of the pre-screening process and she says now is the time to “get your house in order.”

The sample for the coming round of audits will be taken at random; however, there will be some bias as the audits will need to be geographically representative and the full range of covered organizations will need to be covered. Therefore, all covered groups: healthcare providers, health plans, clearinghouses and their Business Associates could be selected for audit. The second round will target larger organizations but that is not to say that pharmacies and small practices will not be chosen for audits.

The OCR has said there will only be a small amount of exceptions in the second round; any organization currently under investigation by the OCR will naturally be exempt as will HIPAA-covered organizations that have an “open breach”.